Pushing biometrics when it doesn’t even work

Mastercard is testing a smartphone app that uses facial recognition to verify online purchases. http://www.bbc.com/news/technology-33379461
Users in the trial can hold their phone up as though taking a selfie to approve transactions.
“The new generation, which is into selfies… I think they’ll find it cool,” the firm’s security expert Ajay Bhalla told CNN.
One security expert told the BBC facial recognition should be complemented with “extra layers of security”.
“Google tried facial recognition on Android phones and there were a lot of problems in the early days”, said Ken Munro, security researcher at Pen Test Partners.
“People realised you could take a photo of somebody and present it to the camera, and the phone would unlock.”
Spoofed

Google admits its facial recognition is “less secure than a pattern, PIN or password” on the website for one of its devices.
Mastercard’s app asks users to blink to prove that they are human, but even this has been spoofed in the past.
“People took photographs and animated them, drawing eyelids on,” said Mr Munro. “There have been advances in biometrics since then, but they’re not quite there yet.”
Ajay Bhalla is Mastercard’s president of enterprise security
Mastercard is exploring facial recognition as an alternative to SecureCode, its security software that asks online shoppers for a password to make purchases.
The company said the technology was used in three billion transactions last year.
In March, Chinese shopping brand Alibaba demonstrated a facial recognition app, but hasn’t brought it to market yet.
Mastercard’s facial recognition trial involves 500 users in the United States.
‘Cumbersome’

“Mastercard will want this to be secure because they’re dealing with money. But there is a case for adding extra layers of security,” said Mr Munro.
“If an ordinary password gets compromised you can simply revoke it or change it.
“What happens if your facial recognition data gets stolen? You can’t change your face.”
Mastercard said it was also exploring fingerprint security and voice recognition, which could make life easier for customers.
Mr Munro was clear that the best security would be a little more “cumbersome”.
“Ideally I’d like to see facial recognition used in conjunction with a Pin. Both systems have flaws, but work brilliantly when you combine them.”